introduction
We should always wonder for every API if all the current endpoint should even be available and if we maybe can't do with only allowing the whole API to communicate internally. To aid us we can ask ourself if this API even needs to be in production at all and who should have access to the API. If the specific API does needs to be in production, we can also ask ourselves if we are not using an outdated version of the API, if there is sensitive data exposed or how the data flows throughout the application and APIs.
A lack of documentation is a problem that plagues many companies and this only makes things worse because an undocumented API that does not send out traffic can remain undetected for a long time.
To ease the removal of older APIs we might consider a retirement plan for APIs that are no longer needed. Another tool we have at our disposal are inventory management systems which index every API and it's version, this can be used to perform a regular inspection of the API plan.
As long as these older APIs and their libraries remain unpatched, the system will be vulnerable to Improper Assets Management.
All of our labs are currently not properly managed, it surprises me nobody has taken root of the server yet!
API10:2019 Insufficient Logging & Monitoring
introduction
The title already says a lot but this vulnerability is a bit more complexity than it was at first sight, of course the API is vulnerable if it does not create any log entries or when the log level is set incorrectly but we should not neglect to also check whether or not the contents of the log messages are what is expected and that they contain enough detail.
A second aspect that is a bit harder to control is the log integrity, for example a malicious user might insert a special character that when written to the log breaks it. This is known as log injection and it could nullify all the logging efforts made.
When we finally have a clear plan of what to log, when and on what environment we need to ensure we are monitoring these logs, failure to do so would result in a massive decrease in the efficiency of our logging efforts.
Monitor everything, not just the logs but make you monitor the APIs and the infrastructure as well.
Even if our labs got hacked, we have no logging nor monitoring to even realise it!